I have the light, come get enlightened …

Main menu

Tag Archives: Win32/Conficker

Post navigation

Downadupis second to the notorius SQL slammer worm that devastated the Internet in 2003 . It exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting. Its difficult to remove because of its in-built update service .

Its devastation was so terrible that Microsoft had to implement a hotline to enable people to report about Conficker developers .

Finally , BitDefender seems to have come with a solution .It claims to have made the first vaccination tool to remove the Conficker virus .

Like this:

This is a followup of my article on win32/conficker worm that has grabbed attention through its widespread infection.
Even Microsoft seems to be hit by its spread. Recently , it has come forward to offer $250,000 to anyone who “catches” the worm authors.

One of the worst scenario of this worm affecting day to day operation ,is the incident where the Houston police department was forced to stop arresting people with traffic warrants because the worm spread its way through the police and city court’s computer systems.There also was a Conficker outbreak among French military computers,which led to several fighter planes being grounded until everything could be fixed.

Microsoft has joined hand with ICANN (Internet Corporation for Assigned Names and Numbers) and other experts like VeriSign,AOL, F-Secure etc . to trace out the worm creators .

“The best way to defeat potential botnets like Conficker/Downadup is by the security and domain name system communities working together..” : ICANN chief Internet security advisor Greg Rattray.

Microsoft has implemented an Antivirus Reward Hotline at 1-425-706-1111,
and an Antivirus Reward Mailbox at avreward@microsoft.com to share tips.

The conficker threat is growing day by day .The latest variants of Conficker has spread to over 9 million PCs and Servers worldwide as it uses multiple techniques to spread to vulnerable systems.This dangerous worm has also been named as Downadup , WORM_DOWNAD.A and even Net-Worm.Win32.Kido.l

The worm initially spread to systems unpatched against MS08-067, but has since evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.The malware first tries to use the credential of the logged-on user. If that fails, it attempts to obtain a list of user accounts on the target machine and then tries to connect using each user name and to a list of weak passwords, such as “1234” or “password.” The first variant of the Conficker worm appeared in November 2008.Security researchers began to see the second variation of the malware in late December 2008.

Many experts have compared the Conficker attack to Nimda, another bug that hit corporations in 2001, which spread quickly as well. Others have speculated the bug may be the beginning stages of a new botnet.

Downadup contains a number of features designed to make it harder for security pros to shut down.The worm, which was first reported by Panda and other security companies on Dec. 31, 2008, exploits a vulnerability in the Windows Server service that’s part of all currently supported versions of Microsoft’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.

Some of the activities is takes up once in your system :

Connects to external sites to download additional files.

Deletes the user’s Restore Points.

Registers a services called Netsvcs.

Creates it’s own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.

Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.

Few reasons why conficker is spreading rapidly :

It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

It exploits the MS08-067 vulnerability,

It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares .

The major strength of Conficker is USB sticks.Downadup creates its own Autorun.inf file and transports itself to all systems where it is inserted . I would suggest that you disable AutoPlay in your environments, unless it’s really necessary.

INFECTED IPs WORLDWIDE (Source: F-Secure)

China 38,277

Brazil 34,814

Russia 24,526

India 16,497

Ukraine 14,767

Italy 13,115

Argentina 11,675

Korea 11,117

Romania 8,861

United States 3,958

United Kingdom 1,789

Once interesting fact related to this worm is that, Microsoft blog noted that the variant avoids infecting computers that use Ukrainian keyboard layout, raising suspicions that the malware authors are located in the Ukraine. So the conficker worm is expected to have orginated from Ukraine .

Win32/Conficker is a new worm out there ,which seems to be a headache for Windows users these days.It seems to exploit a vulnerability in the system which has been addressed in MS08-067, a Microsoft security update.

” It opens a random port between port 1024 and 10000 and acts like a Web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll,….It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too, …. ” : Microsoft